It's Time To Child-Proof Our Networks

Non-IT workers' poor security skills make organizations vulnerable to attack

As the old security cliche goes, "people are the weakest link in the security chain." ESG tested this theory in its recently-published research report, "U.S. Advanced Persistent Threat Analysis."

http://www.enterprisestrategygroup.com/2011/11/apt/?utm_source=Homepage&...

According to the security professionals surveyed for this report, non-IT employees' security skills remain poor:

* 49% of respondents rated their organization's non-IT employees general security knowledge as "fair" or "poor."
* 55% of respondents rated their organization's non-IT employees knowledge about APT concepts like social engineering as "fair" or "poor."

Non-IT employee security knowledge was even a problem at organizations that qualified as "most prepared for APTs," in the ESG taxonomy -- 17% of these security-focused firms rated their non-IT employees general security knowledge as "fair" or poor," while 25% rated their employees knowledge about APT concepts like social engineering as "fair" or "poor."

So even in the face of new types of attacks, workers are still in the dark about cybersecurity threats and best practices for the most part. What should be done? The traditional answer is that we need more frequent and effective user training. While this is never a bad idea, I've arrived at the conclusion that this will never succeed. As cyber attacks become more stealthy and sophisticated, security training will become less and less effective. It seems to me that end-user security training has become the IT equivalent of the Reagan-era "war on drugs." We spend a ton of money for marginal results.

As security professionals, I think we need to admit that end user security is analogous to protecting our kids when they are toddlers. We don't expect the toddler to remain safe in the face of electric outlets and hazardous items, but rather than lecture our kids we actively "child-proof" our homes. While adults are more receptive to training than children, we have to assume that they will take cybersecurity actions that are the equivalent of sticking their fingers in an electric plug -- causing damage to themselves, their endpoint devices, and ultimately the organization at large.

My suggestion is that we effectively "child-proof" our networks with much stronger access controls and endpoint security. We need to limit who can access Facebook (and other social networking sites) and what they can do. We need to finally implement network access controls on PCs, mobile devices, and access switches. We need strong web threat management controls. We need to use endpoint virtualization more extensively and intelligently. We need to sandbox browsers from systems. We need strong authentication. We need to monitor user behavior.

I could go on and on here but my general point is simple. Let's stop assuming that end users have the knowledge and skills to recognize threats and practice safe computing. They can't and they won't. I'm not saying that we should abandon security training but it seems clear that we should build security controls with the assumption that in spite of security training of any kind, end users will continue to do more harm than good.

• Security
• Advanced Persistent Threat
• APT
• browser sandboxing
• endpoint security
• Facebook
• network access control
• security training
• social networking
• strong authentication
• virtualization
• web threat management